close
MENU
2 mins to read

Survey reveals the scope of 'shadow IT'

Nine organisations covering 25,000 users are clueless on an important score. With special feature audio.

Wed, 02 Mar 2016

Cloud services are hot but are they also out of control as staff use personal accounts on the likes of Dropbox and Apple iCloud for work, and IT staff are ignorant of the location cloud data is stored, or just which cloud services are being used?

A new survey of nine public and private organisations, with a total of 25,000 employees, indicates they are.

Resultex, the Wellington-based IT services consultancy that carried it out, says data from the survey indicates chief information officers (CIOs) are unaware of a staggering 90% of cloud-based services in their organisations.

And of those rogue cloud services, 6% are considered high risk, meaning they could result in data theft.

Resultex cloud adoption services head Robin Whitaker says the survey reveals the size of what he calls "shadow IT" for New Zealand organisations.

Shadow IT refers to information technology projects and apps that are managed and accessed outside of, and without the knowledge of, the IT department.

During the audit, Resultex found that the average organisation had more than 720 cloud services running, with nearly 6% of these service being considered high risk.

Resultex, which has partnered with Skyhigh Networks, compared the cloud services in use to the 15,000 services in the Skyhigh global risk register, which assesses each service against 50 attributes in areas such as data risk, service and business risk.

Findings included:

  • 5.8% (110) services are assessed by Skyhigh as high risk. Skyhigh assesses cloud services for enterprise readiness including whether data is encrypted at rest and in transit, whether sites have been compromised, support multi-factor authentication and claim ownership of the data.
  • More than 600 services don’t define who owns the data uploaded to them, which means many will use the uploaded data for their own purposes.
  • The nine New Zealand organisations used 216 human resource services that are outside New Zealand, with the US most popular for HR.
  • 230 servers are known to be vulnerable to such things as the POODLE (a security exploit that lets hackers access encrypted files).
  • 34 services being used had been breached/hacked in the previous six months.

While it's debatable if simply using a service like HR based outside New Zealand is a security threat, it's concerning that many of those surveyed were ignorant of where cloud services physically stored their data (a government-funded project led by Waikato University is seeking to create tools for tracking cloud data around the planet, and when it's accessed).

“From a security point of view, it’s concerning when both private businesses and government organisations are unaware of how many services are running, where the data sent to these services is stored or who owns the data after it is uploaded,” Mr Whitikar says.

“More than 600 of the services in use did not have a policy on ownership of data, which opens up the possibility for these services to use an organisation's data for their own purposes," he says.

The survey found the average organisation has:

  • 729 different cloud services;
  • 24 file sharing services (Dropbox, Google Drive etc);
  • 39 social media services (Facebook, Twitter etc);
  • 149 collaboration services (Office 365, Gmail, Evernote etc);
  • 40 different content sharing services (YouTube, LiveLeak etc); and
  • 27 tracking services, which are targeted by criminals via "watering hole" attacks, that is, a hacker targets a website often visited by members of a company he or she is targeting, then infests that website with malware. 
© All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
Survey reveals the scope of 'shadow IT'
56083
false